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ABSTRACT 


Smart  card  transaction  times  will  increase  as  the  number  of  bits  used  in  the  algorithms 
proteeting  the  eards  to  ensure  seeurity  inereases.  This  is  a  potential  problem  for  the 
Department  of  Defense,  whieh  requires  smart  card  usage  for  its  employees.  This  paper 
defines,  compares,  and  contrasts  two  algorithms:  Rivest-Shamir-Adleman  (RSA)  and 
Elliptic  Curve  Cryptography  (ECC),  and  then  provides  test  data  for  eneryption  algorithms 
tested  on  particular  certification  key  processes  in  an  attempt  to  show  that  the  ECC 
eneryption  algorithm  provides  the  seeurity  necessary  for  smart  card  operations  at  a  fast 
enough  speed  to  benefit  smart  card  users.  It  deseribes  the  Open  Protoeol  for  Aceess 
Control  Identification  and  Ticketing  with  privacY  (OPACITY)  pilot  project  that  took 
place  over  2014  in  relation  to  the  card  testing,  and  hypothesizes  the  risks  and  mitigation 
factors  for  the  Department  of  Defense  to  permanently  switch  to  the  ECC  algorithm  for 
smart  card  use. 
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I.  INTRODUCTION 


A.  PROBLEM  STATEMENT 

Smart  cards  used  by  Department  of  Defense  (DOD)  employees  antieipate  key 
length  ehanges  that  make  the  performanee  time  of  smart  eards  untenable  to  users  and  eard 
issuers  in  the  future,  based  on  the  requirement  that  they  be  “strongly  resistant  to  identity 
fraud,  tampering,  eounterfeiting,  and  terrorist  exploitation”  per  Homeland  Security 
Presidential  Direetive  12  (DHS,  2004). 

B.  PURPOSE  STATEMENT 

The  CAC  (Common  Aceess  Card),  the  smart  eard  used  for  standard  identifioation 
and  physieal  seeurity  aeeess  for  thousands  of  DOD  personnel,  is  set  to  undergo  some 
ehanges  due  to  higher  seeurity  eoneems.  The  Rivest-Shamir-Adleman  (RSA)  algorithm 
eurrently  in  use  by  the  DOD  is  seeure  for  now,  but  in  the  future,  without  signifioant  key 
size  inereases,  there  is  a  risk  of  attaek  by  haekers  looking  to  gain  aeeess  to  information  on 
the  eard.  In  eomparison,  the  Elliptieal  Curve  Cryptography  (ECC)  algorithm  has  been 
identified  as  a  more  seeure  and  faster  way  of  enerypting  eertifieates  with  a  lower  bit  size 
than  the  RSA  algorithm. 

The  National  Institute  of  Standards  and  Teehnology  (NIST)  reeommends  that  in 
order  to  proteet  a  symmetrie  key  of  128  bits  (Seeret  information  as  elassified  by  NIST), 
the  RSA  key  must  be  at  least  3072  bits  long  to  deter  attaekers,  and  this  rate  exponentially 
inereases  as  the  symmetric  key  size  inereases  (The  ease  for  elliptie  curve  eryptography 
[The  ease],  2009).  Eor  Top  Seeret  information,  the  number  of  bits  required  for  RSA 
eneryption  (256  bits)  is  almost  30  times  that  of  the  (ECC)  eneryption  algorithm  (The 
ease,  2009).  This  ereates  a  situation  where  performanee  suffers  as  the  size  of  the 
symmetrie  keys  inerease.  The  RSA  algorithm  size  required  to  thwart  would-be  attaekers 
is  large  enough  to  affeet  the  speed  of  the  transaetion,  which  in  turn  would  affect 
thousands  of  DOD  workers.  Closely  related  to  the  key  size  of  different  publie  key 
systems  is  the  channel  overhead  required  to  perform  key  exehanges  and  digital  signatures 
on  a  oommunieations  link  (The  ease,  2009).  The  key  size  for  the  transaetion  is  identieal 
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to  the  number  of  bits  being  transferred.  This  scenario  could  have  serious  national  security 
consequences  for  the  war  fighter  who  needs  secure  efficient  and  fast  communication 
transfers. 

The  DOD  launched  a  pilot  program  during  the  summer  of  2014  using  OPACITY 
software  in  conjunction  with  the  ECC  algorithm  on  mobile  devices.  Smart  cards  that  use 
the  ECC  algorithm  are  now  available  to  test  performance  measures  with.  This  paper 
analyzes  the  performance  of  14  standard  encryption  algorithms,  including  RSA  and  ECC, 
to  compare  and  contrast  the  encryption  timing  of  each  using  both  contact  and  contactless 
connections,  in  hopes  of  providing  physical  evidence  that,  for  the  same  level  of  security, 
ECC  is  the  better  algorithm  to  use.  With  data  evidence,  it  will  be  possible  to  make  a 
formal  recommendation  that  DOD  smart  cards  be  migrated  from  using  the  RSA 
algorithm  to  the  ECC  algorithm. 

This  paper  will  define  the  ECC  algorithm  and  compare  the  number  of  bits 
required  for  effective  and  efficient  security  to  the  currently  used  RSA  algorithm.  A  case 
study  focusing  on  OPACITY  software  will  be  described,  and  testing  will  be  conducted  on 
smart  cards.  Testing  for  this  thesis  will  include  taking  a  measure  of  on-card  performance 
of  14  encryption  algorithms,  differentiated  by  both  algorithm  and  bytes,  and  measured  in 
groups  by  iteration.  Additionally,  more  comprehensive  testing  of  end-to-end  ECC 
performance  across  DOD  networks  will  be  included,  recording  comparisons  of 
performance  between  contact  readers,  desktop  contactless  readers,  and  mobile  NFC 
devices.  Standard  deviations  will  be  calculated  to  identify  any  data  collected  that  falls 
outside  the  norm.  Graphs  will  be  designed  to  display  the  different  algorithms  and  their 
performance  compared  to  the  others.  Eastly,  a  potential  DOD  move  from  RSA  to  ECC 
algorithms  will  be  analyzed  for  risk  and  mitigating  factors.  The  following  outline  briefly 
describes  each  chapter  of  the  thesis. 

1.  Comparative  Analysis  of  ECC  versus  RSA  Algorithms 

The  ECC  cryptography  algorithm  requires  significantly  fewer  bits  to  protect  the 
same  sized  symmetric  key  as  the  RSA  cryptography  algorithm.  The  second  chapter  of 
this  thesis  will  contrast  and  compare  in  laymen’s  terms  the  ECC  and  RSA  cryptography 
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algorithms,  focusing  on  the  improvements  that  ean  be  made  by  implementing  ECC  on  the 
smart  eard. 

2,  Open  Protocol  for  Access  Control  Identification  and  Ticketing  with 
privacY  Case  Study 

The  third  ehapter  will  highlight  a  ease  study  being  tested  at  the  Defense 
Manpower  Data  Center  (DMDC)  in  Seaside,  CA,  foeusing  on  Open  Protoeol  for  Aeeess 
Control  Identifieation  and  Tieketing  with  privaeY  (OPACITY),  a  protoeol  ereated  for 
seeure  eontaetless  eommunieations  using  smart  eards.  The  underlying  teehnology  will  be 
stipulated  but  real-world  data  will  be  provided  to  illustrate  the  functionalities  of  the 
protocol  enabling  seeure  digitally  signed  and  enerypted  emails  using  Near  Field 
Communieation  (NFC)  eontaetless  smart  eards.  Providing  seeure  eommunieations  over 
mobile  phone  technologies  is  a  high-level  initiative  for  the  DOD  aeross  the  board  as  it 
will  enable  vetted  defense  users  to  eommunieate  with  one  another  using  Publie  Key 
Infrastrueture  (PKI)  teehnology  on  their  smart  phones  in  a  seeure,  reliable,  and  timely 
manner. 


3.  Card  Testing  and  Algorithm  Performance  Comparison 

The  fourth  ehapter  will  delve  into  the  meat  of  the  thesis,  deseribing  a  java 
program  written  to  test  DOD  CAC  eards  that  have  ECC  algorithms  implemented.  Test 
data  will  be  analyzed  for  performanee  measurements  sueh  as  average  key  generation 
times  and  key  generation  probability  distributions  to  eompare  RSA  results  with  the  ECC 
results  now  available  in  this  research.  The  top  three  eategories  of  this  testing  are  signing 
digital  eertifieates,  enerypting  and  deerypting  messages. 

4,  Risk  and  Mitigation  Analysis  for  Move  from  RSA  to  ECC  Algorithm 

The  last  ehapter  will  provide  updated  requirements  and  deadlines  aeross  the  DOD 
for  the  latest  eneryption  and  mobile  teehnology  standards.  Risks  and  possible  risk 
mitigation  will  be  diseussed  for  the  DOD  migration  from  RSA  technology  to  ECC 
technology,  as  all  currently  issued  CAC  eards  would  need  to  be  re-issued  with  the  new 
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CAC  hardware.  This  migration  will  likely  be  slow  and  diffieult  so  the  goal  will  be  to 
minimize  the  impaet  of  ehanges  on  users. 
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II.  COMPARATIVE  ANALYSIS  OF  ECC 
VERSUS  RSA  ALGORITHM 


A,  PROBLEMS  OF  THE  RIVEST-SHAMIR-ADLEMAN  CRYPTOGRAPHIC 

ALGORITHM 

Smart  cards — mini  computer  systems — are  being  used  around  the  world  today  to 
complete  millions  of  transactions,  including  transaction  types  such  as  identification, 
financial  (electronic  wallets),  transport,  and  even  application  processing.  There  is 
increased  need  for  security  as  sensitive  military,  commercial  and  private  data  inereasingly 
becomes  transmitted  wirelessly... which  translates  into  more  sophisticated  encryption 
algorithms  which  add  to  additional  hardware,  power  and  time  requirements  (Owor, 
Dajani,  Okonkwo,  &  Hamilton,  2007).  Digital  signatures  and  encryption  are  the  two 
most  important  uses  of  smart  cards  within  the  DOD,  which  enables  the  cards  to  be 
Personal  Identity  Verification  (PIV)  cards  per  the  National  Institute  of  Standards  and 
Teehnology  (NIST).  The  PIV  standards  laid  out  in  Federal  Information  Processing 
Standard  (FIPS)  201  set  requirements  for  federal  employees  and  contractors  accessing 
information  systems  (Department  of  Commerce,  2013). 

Smart  cards  within  the  DOD  are  primarily  used  as  security  tokens  to  establish 
proof  of  identity,  through  verification  of  certifications  stored  on  the  smart  eard  using 
encryption  algorithms.  Every  eryptosystem  relies  upon  what  is  hoped  to  be  an  unsolvable 
mathematical  problem,  and  this  is  the  encryption  algorithm  that  is  used.  It  is  imperative 
that  eneryption  algorithms  do  not  add  an  overbearing  cost  in  terms  of  time,  power  and 
weight  to  the  design  of  these  systems  (Owor  et  ah,  2007).  A  public  key  infrastructure 
(PKI)  issues  encrypted  digital  certificates  to  users  which  are  stored  on  the  smart  card 
itself,  and  a  pair  of  asymmetric  keys  are  generated  by  an  encryption  algorithm  every  time 
the  certificates  need  to  be  accessed.  An  asymmetric  key  pair  is  used  since  it  establishes  a 
pair  for  every  user  needed  on  the  smart  card  rather  than  multiple  pairs  of  key  sets  like  a 
symmetric  key.  The  encryption  algorithm  should  provide  the  highest  possible  level  of 
encryption  security  at  the  lowest  possible  cost  in  terms  of  the  size  of  the  encryption  key, 
the  number  of  operations  and  the  unit  time  of  encryption  (Owor  et  ah,  2007).  The  length 
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of  a  key,  in  bits,  for  a  conventional  encryption  algorithm  is  a  common  measure  of 
security  (The  case,  2009). 

Currently,  the  RSA  cryptographic  algorithm  is  being  used  to  verify  identity 
certifications  on  smart  cards  for  the  DOD.  This  algorithm  was  one  of  the  first  widely 
accepted  secure  methods  of  private  key  encryption  in  use  for  data  transmission.  The 
premise  of  the  algorithm  is  that  a  public  and  private  key  is  generated  by  the  algorithm. 
The  public  key  is  generated  to  encrypt  the  data  and  the  private  key  is  generated  to  decrypt 
the  data.  The  RSA  algorithm  problem  rests  on  determining  what  the  prime  numbers  being 
used  are,  the  “factoring  problem.”  The  product  of  these  prime  numbers  plus  an  additional 
random  value  is  what  makes  up  the  public  key.  The  key  set  is  generated  by  the  RSA 
algorithm  every  time  the  card  is  accessed  by  the  user  in  order  to  determine  the  identity  of 
the  user  by  verifying  the  encrypted  digital  certificate  of  that  user. 

The  key  set  is  generated  by  using  the  following  algorithm  (al  Hasib  &  Haque, 

2008): 

1 .  Select  two  large  prime  numbers  p  and  q  (e.g.  1024  bits  each)  such  that  p 
6=q. 

2.  Compute  modulus  n  =  p.q 

3.  Calculate  totient,  ‘(n)  =  (p-l).(q-l) 

4.  Choose  an  integer  (public  exponent)  e,  1  j  e  j  ‘(n),  such  that  gcd(e,  ‘(n))  = 

1. 

5.  Compute  the  secret  exponent  d,  1  ;  d  j  ‘(n),  such  that  d:e  _1  (mod  n). 

6.  The  public  key  is  (n,  e) 

7.  And  the  private  key  is  (n,  d). 

The  main  drawback  of  RSA  is  its  efficiency,  in  particular  for  some  devices  with 
limited  computing  power  such  as  smart  cards  (Nassr,  Bahig,  Bhery  &  Daoud,  2008). 
RSA  keys  being  used  in  smart  cards  had  a  length  of  1024  bits  a  few  years  ago.  This  is  no 
longer  recommended  since  a  short  RSA  key  can  be  discovered  through  security  attacks 
such  as  a  brute  force  attack  or  mathematical  attack.  Instead,  a  2048  bit  length  is  now  used 
in  CAC  and  PIV  cards.  The  number  of  values  that  must  be  tried... with  a  brute  force 
attack... doubles  with  each  bit  added  to  the  key  length  (Owor  et  ah,  2007),  making  the 
algorithm  more  difficult  to  break;  however,  the  larger  key  will  make  the  encryption  and 
decryption  process  a  little  slow  as  it  will  require  greater  computations  in  key  generation 
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as  well  as  in  encryption/decryption  algorithm  (al  Hasib  &  Haque,  2008).  The  longer  the 
key  length  required  the  slower  the  performanee  for  the  key  generation.  It  is  this  decrease 
in  efficiency  that  makes  increasing  the  bit  length  of  the  RSA  algorithm  an  untenable 
solution  to  increase  the  security  of  smart  cards  for  users  in  the  DOD  who  must  access 
digital  certificates  repeatedly  throughout  the  work  day. 

B,  BENEFITS  OF  THE  ELLIPTIC  CURVE  CRYPTOSYSTEM 

The  Elliptic  Curve  Cryptosystem  is  an  improvement  on  RSA  because  it  uses  an 
elliptic  curve  algorithm  that  reduces  the  amount  of  bits  required  for  the  same  level  of 
security.  This  is  becoming  increasingly  important  due  to  the  higher  level  of  threats  from 
hacking  technologies.  Gupta  stated  that  an  Elliptical  curve  may  be  defined  as  an  equation 
of  the  form  ay2  +  bxy  =  cx3  +  dx2  +  ex  +  f,  where  a,  b,  c,  d,  e,  f,  x  and  y  are  for 
cryptographic  purposes  restricted  to  each  belong  to  a  finite  field  i.e.,  a,  b,  c,  d,  e,  f,  x  and 
y  are  each  chosen  from  a  distinct  set  of  integral  values  as  cited  in  Owor  et  ah,  2007.  The 
ECC  relies  upon  the  difficulty  of  the  Elliptic  Curve  Discrete  Logarithm  Problem 
(ECDLP)  (Owor  et  ah,  2007)  as  its  unsolvable  mathematical  problem.  NIST  has 
published  the  Digital  Signature  Standard  (DSS),  (PIPS  186-4),  which  standardizes  the 
Elliptic  Curve  Digital  Signature  Algorithm  (ECDSA)  and  recommends  fifteen  sets  of 
elliptic  curve  domain  parameters  to  be  used  in  ECC  cryptosystems.  The  NSA  has 
endorsed  the  use  of  ECC  in  its  Suite  B1  set  of  algorithms,  which  have  been  deemed 
secure  for  Top  Secret,  Secret,  and  Sensitive  but  Unclassified  information. 

ECC  devices  “smaller  key  sizes  result  in  smaller  system  parameters,  smaller 
public-key  signatures,  bandwidth  savings,  faster  implementations,  lower  power 
requirements,  and  smaller  hardware  processors”  (Chatterjee  &  Gupta,  2009).  The  digital 
signatures  created  by  the  algorithm  are  smaller  since  they  are  more  computationally 
efficient.  They  will  require  less  overhead  to  transmit  as  well.  Por  example,  the  224  bit 
ECC  key  provides  the  same  amount  of  security  as  a  2048  bit  RSA  key.  This  makes  ECC 
the  perfect  choice  for  a  space  limited  device  such  as  the  smart  card  where  minimizing 
power  and  energy  consumption  is  crucial.  With  ECC,  the  time  needed  to  generate  a  key 
pair  is  so  short  that  even  a  device  with  the  very  limited  computing  power  of  a  smart  card 
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can  generate  the  key  pair,  provided  a  good  random  number  generator  is  available 
(Chatterjee  &  Gupta,  2009).  The  ECC  algorithm  will  grow  in  usage  as  information 
becomes  more  and  more  secure.  Figure  1  demonstrates  the  differenee  in  key  sizes 
between  an  RSA  key  and  an  ECC  key,  as  well  as  the  ratio  of  cost  of  the  Diffie-Hellman 
Key  size  to  the  ECC  key  size. 


Symmetrie  Key 
Size/Security  Eevel 
(bits) 

RSA  &  Diffie-Hellman 
Key  Size  (bits) 

Elliptic  Curve 

Key  Size  (bits) 

Ratio  of 
DH  Cost: 
EC  Cost 

80 

1024 

160 

3:1 

112 

2048 

224 

6:1 

128 

3072 

256 

10:1 

192 

7680 

384 

32:1 

256 

15360 

521 

64:1 

Figure  1.  NIST  Reeommended  Key  Sizes  and  Relative  Computation  Costs. 

(after  “The  case  for  elliptic  curve  eryptography,”  2009). 


It  is  important  to  remember  that  the  speed  of  the  eryptography  eomputing  process 
does  take  its  toll  in  a  financial  sense  as  well,  when  you  consider  that  over  1.5  million 
transactions  are  logged  daily  (US  DOD  CAC,  2010).  The  biggest  performance  difference 
is  when  the  smart  card  has  to  generate  a  public/private  key  pair.  The  ECC  and  RSA 
Algorithm  Performanee  Comparison  (key  pair  generation),  presented  in  Figure  14  in 
Section  IV  of  this  paper,  showed  that  the  RSA  algorithm  at  2048  bits  was  46  times 
computationally  slower  than  the  ECC  algorithm  at  the  same  number  of  bits.  Eaeh  RSA 
key  generation  took  approximately  38  seconds  while  eaeh  ECC  key  generation  took  less 
than  one  second.  To  translate  this  finaneially,  for  eaeh  key  pair  generation  taking 
approximately  38  seconds  for  an  employee  making  $30/hour  would  eost:  0.63  minutes 
wait  time  per  person  per  transaction  x  $0. 50/minute  estimated  labor  eost  ($30/hour).  For 
a  Verifying  Official(VO)  working  at  a  Real-Time  Automated  Personnel  Identifieation 
System  (RAPIDS)  site  distributing  cards  to  a  DOD  employee  (2  users)  eaeh  RSA  card 
would  cost  $0.32  more  than  an  ECC  eard  simply  based  on  the  time  it  takes  to  generate  the 
key  pair.  If  500  cards  a  day  are  produeed  at  a  Card  Issuanee  Facility  (CIF)  it  would  take 
five  hours  to  generate  the  key  proeess  on  the  cards  with  the  RSA  algorithm  while  the 
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same  number  of  cards  with  the  ECC  algorithm  could  be  produced  in  less  than  10  minutes. 
For  every  500  cards  issued,  RSA  costs  will  be  over  twice  as  much  as  ECC  costs,  and 
employees  will  not  be  able  to  produce  as  many  cards.  This  example  is  a  fraction  of  actual 
card  transactions  occurring  within  the  DOD,  so  the  end  total  loss  in  wait  time  for  DOD 
employees  is  not  trivial. 
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III.  OPACITY  CASE  STUDY 


A,  MOBILE  DEVICE  SMART  CARD  LIMITATIONS 

The  Department  of  Defense  is  the  nation’s  largest  employer,  eurrently  employing 
over  two  million  people;  1.4  million  active  duty  military,  718,000  civilian  employees, 
and  1.1  million  National  Guard  and  Reserve  military  (Figure  2).  There  are  over  5000  sites 
or  installations  where  DOD  employees  work  all  over  the  world. 


OoOIT  UMrBaM 


Ar*a  of  Support 


*  1.4  milion  active  duty 

*  750.000  ctviian  personnel 

■  1.1  milaon  National  Guard 
and  Reserve 

*  5.5»nniion  famly  members 
and  miMaty  retirees 


*  146  ♦  countries 

*  6,000  *  locations 

*  600,000  *  buildvigs  and 
structures 


Total  IT  Budgot 


•  $37  b«M>n 

*  $10bilion  in  Infrastnicture 


IT  Systom* 


*  10,000«  Operational  systems 
(20%  mission  critical) 

•  772*  Data  Centers 


•  67,246  Servers 

*  7*  m4bon  computers  and  IT 
devices 


Figure  2.  DOD  IT  infrastructure  characteristics  (from  Information  Technology 

(IT)  Enterprise  Strategy  and  Roadmap,  2011.). 


The  mission  of  the  DOD  is  to  protect  the  security  of  the  United  States  of  America, 
and  all  of  the  employees  of  the  DOD  require  Common  Access  Cards  (CAC)  in  order  to 
perform  their  work  securely  and  access  working  sites  securely  using  the  certifications 
stored  on  the  smart  cards  as  a  means  of  PIV  authentication.  The  majority  of  DOD  sites 
today  (whether  physical  access  sites  or  websites  on  the  Internet)  require  digital 
certification  upon  logon,  which  requires  the  CAC  card.  The  certifications  on  the  CAC 
card  are  accessed  hundreds  of  times  per  working  day  per  employee,  so  with  a  time 
estimate  of  6-8  seconds  per  access  multiplied  by  ~100  times  a  day  per  employee,  there  is 
a  significant  amount  of  time  being  used  on  CAC  transactions.  Currently,  employees 
within  the  DOD  use  the  Microsoft  Outlook  mail  client  in  order  to  send  digitally  signed 
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and  encrypted  emails  to  and  from  one  another.  This  mail  client  can  be  accessed  through  a 
web  browser  but  encrypted  and  digitally  signed  documents  are  not  enabled  unless  a  CAC 
reader  is  also  connected  to  the  device  in  question  in  order  to  access  the  certificates  on  the 
CAC  itself 

According  to  IDC  (Market  Analysis:  Worldwide  Mobile  Enterprise  Security 
Software  2012-2016  Forecast  and  Analysis),  mobile  identity  and  access  management  is 
expected  to  grow  by  27.6  percent  between  2010  and  2016  (Effective  identity  and  access 
management  in  a  mobile  world,  n.d.).  There  is  significant  growth  in  mobile 
communications  within  the  United  States,  and  within  the  DOD,  the  Chairman  of  the  Joint 
Chiefs  of  Staffs  Capstone  Concept  for  Joint  Operations:  Joint  Force  2020,  Reference  (b), 
recognizes  mobile  technology  as  a  key  capability  enabler  for  joint  force  combat 
operations;  secure  commercial  mobile  applications  are  increasingly  viewed  as  essential  to 
innovations  and  improved  mission  effectiveness  across  a  wide  range  of  DOD  mission 
areas  (Takia,  2013).  There  are  at  least  11,000  Government  Funded  Equipment  (GFE) 
mobile  phones  issued  within  the  Marine  Corps  services  alone  (FICAM  Mobile  Pilot 
Solution  Case  Studies  Version  1.0,  personal  communication,  April,  2014).  Achieving  and 
maintaining  the  information  advantage  as  a  critical  element  of  national  power  requires  the 
concentrated  effort  of  the  entire  DOD  to  provide  an  information  environment  optimized 
for  the  warfighter  and  effective  for  all  echelons,  from  the  tactical  edge  to  the  strategic 
core  (Information  Technology  (IT)  Enterprise  Strategy  and  Roadmap,  2011). 

“A  mobile  device...  is  a  portable  computing  device  that:  (i)  has  a  small  form 
factor  such  that  it  can  easily  be  carried  by  a  single  individual;  (ii)  is  designed  to  operate 
without  a  physical  connection  (e.g.,  wirelessly  transmit  or  receive  information);  (iii) 
possesses  local,  non-removable  or  removable  data  storage;  and  (iv)  includes  a  self- 
contained  power  source. .  .but  mobile  devices  lack  the  integrated  smart  card  readers  found 
in  laptop  and  desktop  computers  and  require  separate  card  readers  attached  to  devices  to 
provide  authentication  services  from  the  device”  (Federal  Information  Security 
Management  Act  (FISMA),  Public  Faw  (P.F.)  107-347,  2014).  Mobile  devices  are 
generally  too  small  to  integrate  smart  card  readers  into  the  device  itself,  requiring 
alternative  approaches  for  communicating  between  the  PIV  Card  and  the  mobile  device 
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(FISMA,  Public  Law  (P.L.)  107-347,  2014).  Smart  card  technology  is  present  in  almost 
all  mobile  deviees,  either  on  the  SIM  card  or  through  another  secure  element  like  a 
Seeure  Digital  (SD)  card. 

B,  DOD  PROOF  OF  CONCEPT 

The  DOD  has  sponsored  development  of  the  Open  Protocol  for  Access  Control, 
Identifioation,  and  Tieketing  with  privacy  (OPACITY),  which  is  a  Diffie-Hellman-based 
key  exchange  protocol  to  establish  seeure  channels  in  contaetless  environments.  The 
protocol  has  been  registered  as  an  ISO/IEC  24727-6  authentieation  protoeol  and  is 
specified  in  the  draft  ANSI  504-1  national  standard  (GICS)  (Dagdelen,  Fischlin, 
Gagliardoni,  Marson,  Mittelbaeh,  &  Onete,  2013).  It  is  eompliant  with  the 
reeommendation  by  the  National  Institute  of  Standards  and  Teehnology  (NIST)  in  the 
“Recommendation  for  Pair-Wise  Key  Establishment  Schemes  Using  Diserete  Eogarithm 
Cryptography”  publication  800-56Ar2,  2013,  as  well  as  the  National  Security  Agency’s 
(NSA)  Suite  B  Cryptography  standards.  The  Opacity  software  uniquely  and  seeurely 
identifies  each  cardholder  over  a  contactless  interfaee  using  the  PKI  certifieates,  which 
are  hard  to  reproduee.  Opacity  uses  two  key  exchange  protocols:  Zero  Key  Management 
(ZKM)  and  Eull  Seereey  (ES).  The  ZKM  protocol  only  ensures  the  identity  of  the 
cardholder  and  does  not  require  maintaining  registered  public  keys.  The  ES  protoeol  will 
require  mutual  authentieation  and  is  a  secure  way  to  protect  both  the  identities  of  the 
communicating  parties  as  well  as  the  message  in  relay  itself  whieh  is  encrypted  using 
ECC.  OPACITY  has  been  targeted  for  use  in  many  ways.  Some  examples  of  possible 
OPACITY  use  cases  are  shown  in  Eigure  3. 
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Figure  3 .  OPACITY  USE  CASES .  (from  ACTIVIDENTIT Y:  The  Open 

Protocol  for  Access  Control  Identification  and  Ticketing  with  PrivacY 
Eor  Secure  Contactless  Transactions  and  Enabling  Eogical  and 
Physical  Access  [Powerpoint]  (n.d.).  Retrieved  August  2014. 


OPACITY  contains  a  Secure  Authentication  Module  (SAM)  that  is  similar  to  the 
Hardware  Security  Module  (HSM)  within  a  smart  card  (Eigure  4).  The  SAM  contains  a 
private  key  and  root  public  keys  and  helps  to  establish  sessions  once  the  application  in 
question  has  asked  for  authentication  from  the  smart  card.  Both  the  SAM  and  the  smart 
card  will  generate  keys  that  will  be  matched  and  authentication  will  be  granted  if  the 
match  is  successful. 


Eigure  4.  OPACITY  simple  command  flow,  (after  ACTIVIDENTITY:  The 
Open  Protocol  for  Access  Control  Identification  and  Ticketing  with 
PrivacY  Eor  Secure  Contactless  Transactions  and  Enabling  Eogical 
and  Physical  Access  [PowerPoint]  n.d.  Retrieved  August  2014. 
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The  primary  goal  of  the  OPACITY  Proof  of  Concept  (POC)  at  DMDC  was  to 
demonstrate  secure  PKI  transactions  using  smart  cards  over  a  Near  Field  Communication 
(NFC)  contactless  interface.  There  were  also  four  main  objectives  working  toward  this 
goal  (HID  Professional  Services  Document  NFC  Mobile  PoC  Integration  Test  Report, 
personal  communication,  March  31,  2014) 

•  To  demonstrate  the  feasibility  of  securing  the  NFC  contactless  interface  in 
a  mobile  environment  simply  by  holding  an  OPACITY-enabled  smartcard 
to  the  back  of  the  phone — ^without  a  Bluetooth  smartcard  sled  reader,  a 
connected  reader  or  alternate  secure  element  such  as  a  secure  microSD. 

•  To  demonstrate  the  business  value  of  OPACITY  to  enforce  the 
Government  mobility  mandates  for  mobile  devices  (alignment  with  ANSI 
504  /  GICS  part  I  and  FIPS  201-2:  Secure  Contact  interface). 

•  To  identify  the  improvements  and/or  adjustments  needed  in  the 
infrastructure  to  promote  the  use  of  mobile  devices  by  Government 
employees. 

•  To  assess  any  technology  limitations  in  order  to  use  existing  NFC-enabled 
smart  phones  to  operate  with  new  generations  of  the  CAC.  The  purpose  is 
also  to  gather  requirements  for  the  upcoming  generation  of  cards  and 
smart  phones  to  support  above  use  cases 

These  objectives  fulfilled  the  directive  of  the  DOD  Identify  Council  to  both  use 
PKI  credentials  on  the  smart  card  while  securing  the  mobile  work  environment.  Since  an 
NFC-enabled  mobile  device  can  interact  with  a  PIV  Card  over  its  contactless  antenna  at  a 
very  close  range,  the  mobile  device  can  use  the  keys  on  the  PIV  Card  without  a  physical 
connection  (FISMA,  Public  Law  (P.L.)  107-347).  It  still  uses  a  two-factor 
challenge/response  system  that  asks  for  a  pin  and  responds  to  the  request.  The  technology 
chosen  must  also  incorporate  Public-Key  Cryptography  Standards  (PKSC)  #11  which 
deals  with  cryptographic  tokens  (i.e.,  the  certificates  existing  on  the  smart  card). 
Requirements  for  the  pilot  project  were  outlined  in  the  original  scope  proof  of  concept 
document  (HID  Professional  Services  Document  NFC  Mobile  PoC  Integration  Test 
Report,  personal  communication,  March  31,  2014)- 

•  Requirement  1 :  The  mobile  email  client  shall  use  the  OPACITY  protocol 
to  authenticate  the  user  and  use  Secure  Messaging  to  secure  the  CAC 
contactless  interface  for  PKI  transactions 
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•  Requirement  2:  The  PoC  solution  shall  support  the  email  signing  and 
email  deeryption  use  cases 

•  Requirement  3:  The  email  client  application  should  enforce  the 
cardholders  authentication  to  the  mobile  email  client  using  the  CAC 

•  Requirement  4;  The  PoC  shall  be  conducted  on  an  external  facing 
infrastructure.  This  intention  of  this  PoC  is  not  only  to  demonstrate  the  use 
of  the  mobile  email  application  using  the  CAC,  but  to  use  the  solution  in  a 
real-world  environment  to  assess  real-world  obstacles  or  ease  of  use. 
Hence,  the  PoC  email  infrastructure  must  be  accessible  via  the  NIPRNet 
rather  than  only  within  a  closed  lab  environment. 

•  Requirement  5:  The  PoC  solution  shall  support  up  to  40  participants 

•  Requirement  6:  The  evaluation  cards  issued  to  participants  shall  use 
fictitious  user  information  to  avoid  exposing  any  Personally  Identifiable 
information 

•  Requirement  7:  The  email  transactions  shall  utilize  DISA  test  certificates. 
The  CAC-Like  cards  will  request  the  ID,  PIV  authentication,  email  and 
signing  certificates  from  the  DISA  test  Certificate  Authority. 

•  Requirement  8:  The  PoC  shall  only  use  CAC-Like  test  cards  encoded  with 
the  DOD  CAC+PIV  EP  Data  Model 

•  Requirement  9:  The  PoC  Shall  limit  the  use  cases  to  PKI  operations.  The 
card  surface  printing  shall  clearly  identify  the  card  as  a  sample  card  for  the 
DMDC  Mobile  NFC  Proof  of  Concept  and  must  not  resemble  the  FIPS 
20I-I  card  surface  requirements. 

•  Requirement  10;  The  PoC  Shall  limit  the  use  cases  to  PKI  operations.  The 
PoC  use  cases  do  not  encompass  the  use  of  the  CAC  Demographic  data  or 
biometric  data.  Therefore,  the  PoC  card  personalization  must  include 
specific  test  data: 

•  Requirement  1 1 ;  The  PoC  shall  support  specific  mobile  phone  devices 

•  Requirement  12;  The  PoC  shall  support  specific  card  platforms  which  is 
considered  proprietary  information  and  will  not  be  shared  in  this  thesis. 


DMDC  partners  with  HID  for  the  PoC  cards:  creation,  pin  reset,  termination  and 
reissue.  The  cards  used  in  the  POC  project  were  generated  by  HID  since  the  current  CAC 
cards  at  DMDC  do  not  support  a  specific  applet  that  was  still  in  development  and  under 
review  by  NIST.  HID  partners  with  Good  for  Government  Technology  to  provide  both  a 
commercial  secure  email  client  and  a  mobile  device  manager  (MDM)  as  the  interface 
used  to  test  out  the  smart  card  certifications,  both  for  the  Good  enterprise  servers,  the 
Activid  application,  and  the  email  client.  A  breakdown  of  roles  and  responsibilities  per 
organization  for  the  PoC  is  presented  in  Figure  5. 
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Organization  Role^esponsibility 

HID  Global 

Implement  OPACITY  enabled  Applets,  imptement  noobile  NFC  SOK.  pmirde  smart  card  test  tod. 
encode  PoC  cards,  prefect  management,  integration  assistance .  evaluation  test  scripts 

Good  Technology 

Provde  MDM  infrastnjcture.  provde  mobile  email  application  with  OPACITY  support 

DMDC 

Sponsor,  provide  S3mple  data  and  OISA  test  certificates,  prefect  mar^a^ement.  evaluaton  test 
scripts 

Figure  5.  Integration  Summary,  from  HID  Professional  Serviees  Doeument  NFC 
Mobile  PoC  Integration  Test  Report,  personal  communieation,  Mareh 

31,2014 


Good  Teehnology  is  promoting  its  enterprise  data  and  device  management  system 
used  to  secure  access  to  email  through  certificate-based  authentication 
Secure/Multipurpose  Internet  Mail  Extensions  (S/MIME).  The  software  provides  a 
seamless  interface  on  different  device  platforms  including  Android,  iOS,  and  Windows. 
Good  Technology  supports  all  legacy  smart  cards  or  the  users  can  choose  to  use  a 
MicroSD  card  within  their  mobile  phones  as  the  primary  credential.  Eollowing  is  an 
example  of  the  different  features  available  from  Good  Technology  (Eigure  6). 


1  Feature 

K}S 

Android 

Windows  Phone 

Secure  email,  calendar,  contacts,  tasks,  browser, 
file  repository 

X 

X 

Secure  email,  calendar,  contacts, 
tasks  and  file  repository  are 
currently  available. 

Encrypt  data  on  the  device  and  over  the  air 

X 

X 

X 

Authenticate  with  strong  password  enforcement 

X 

X 

X 

Wipe  lost  or  stolen  devices  remotely 

X 

X 

X 

Detect  and  shut  down  jailbroken  or  rooted 
devices 

X 

X 

Not  applicable 

Extend  mobile  collaboration  through  integration 
with  Good  and  Good-secured  apps 

X 

X 

Not  currently  available 

Prevent  data  leakage  by  restricting  cut/copy/ 
paste  between  apps 

X 

X 

X 

Distribute  apps  through  a  secure  corporate  app 
store 

X 

X 

Not  currently  available 

Exchange  Server  Support 

X 

X 

X 

Domino  Server  Support 

X 

X 

X 

Eigure  6.  Management  and  Control  Eeatures  from  Good  for  Enterprise  Data 
Sheet  [Brochure],  (n.d).  Retrieved  August  2014  from 
https://media.good.com/documents/ds-good-for-enterprise.pdf 
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The  Defense  Manpower  Data  Center  (DMDC)  reeeived  several  Samsung  and 
Galaxy  phones  (Android)  from  different  mobile  phone  carriers  to  use  in  the  test  pilot. 
Specially  configured  test  CACs  and  test  DOD  PKI  certificates  were  used  in  conjunction 
with  the  phones  to  test  specific  use  cases.  These  test  CACs,  provided  by  card 
manufacturers,  allowed  encrypted  PKI  transactions  over  contactless  interfaces.  The 
Proof  of  Concept  cards  are  non-FIPS  versions  of  the  next  generation  of  card  platforms. 
These  DMDC-selected  cards  support  Elliptic  Curve  Cryptography  used  by  the  OPACITY 
protocol  and  support  NFC  used  to  communicate  with  the  mobile  device  (HID 
Professional  Services  Document  NFC  Mobile  PoC  Integration  Test  Report,  personal 
communication,  March  31,  2014).  DMDC  provided  the  fictitious  data  that  was  used  to 
identify  the  smart  cards  being  used  during  the  testing,  plus  the  test  certificates  provided 
by  DISA.  The  certificates  include:  ID  certificate.  Email  Signing  Certificate,  Email 
Encryption  Certificate,  and  the  PIV  Authentication  Certificate.,  although  only  the  email 
certificates  were  tested.  Basically,  the  testers  had  to  hold  an  OPACITY-enabled  smart 
card  to  the  back  of  the  mobile  device,  authenticate  into  the  MDM,  and  secure  the  existing 
email  application  with  PKI  certificates  on  the  CAC  to  digitally  sign,  encrypt,  and  decrypt 
email  contactlessly  (see  Figure  7).  It  was  necessary  to  do  this  without  a  connected  card 
reader  or  secure  microSD  within  the  mobile  device.  The  transaction  between  the  card  and 
the  device  is  encrypted  using  an  ANSI  504  OPACITY  ZKM  secure  channel.  This  Diffie- 
Hellman  Elliptic  Curve  Cryptography  is  a  non-proprietary  way  to  encrypt  the  contactless 
channel  of  the  CAC. 
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Figure  7.  NFC-Enabled  Mobile  Phone  Used  as  a  Reader  (Mobile  devices  and 
identity  applications  [Publication]  September  2012.  Retrieved  March 

2015  ) 


DMDC  employees  were  tasked  with  testing  the  phones  for  five  specific  use  cases. 
The  use  cases  consisted  of  the  following: 

•  User  Authentication 

•  Send  and  receive  Signed  email,  with  and  without  attachments 

•  Send  and  Receive  Encrypted  email,  with  and  without  attachments 

•  Send  and  Receive  both  Signed/Encrypted  email,  with  and  without 
attachments 

•  Usability  Testing  (Eoss  of  NEC  Session) 

The  user  must  be  able  to  authenticate  to  the  Good  application  in  five  seconds  or 
less  (a  timely  manner)  by  responding  to  the  prompt  for  credentials  with  the  user’s  pin, 
and  receiving  an  acknowledgment  that  the  authentication  requirements  have  been 
satisfied.  In  order  to  send  a  signed  and/or  encrypted  email  the  user  must  establish  a  secure 
session  and  the  application  establishes  the  hashed  data  to  be  signed  by  the  user’s  email 
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signing  key  on  the  PoC  eard.  In  order  to  reeeive  a  signed  email  the  proeess  is  reversed: 
the  applieation  is  able  to  deerypt  the  provided  hash  and  verify  it  matehes  the  email 
elient’s  ealeulated  hash.  This  proeess  is  duplieated  for  emails  that  eontain  attaehments. 
The  user  also  should  verify  that  the  time  taken  to  sign  and/or  enerypt  an  email  is  a 
reasonable  amount  of  time,  within  a  few  seeonds.  A  major  part  of  the  usability  testing 
eoneemed  the  suceess  or  failure  rate  of  the  NFC  eonnection.  Users  documented  how 
difficult  it  might  have  been  to  determine  the  correct  location  of  the  connection  between 
the  smart  card  and  the  NFC  connection,  and  the  success  and  failure  rate  of  that 
connection  especially  during  specific  tasks  such  as  encrypting  an  email.  Users  were  also 
asked  whether  or  not  they  might  have  preferred  a  protective  case  that  correctly  positioned 
the  card  upon  the  NFC  antenna,  however,  since  the  antenna  location  is  in  different 
locations  for  different  phones  this  would  be  a  difficult  prospect.  An  illustration  of  the 
proper  connection  area  for  a  Samsung  Galaxy  3  is  shown  in  Figure  8. 


Figure  8.  Using  contactless  cards  with  NFC-enabled  devices  (HID 

TECHNICAL  NOTE  Document  Version  1.1:  Using  Contactless 
Cards  with  NEC-Enabled  Devices,  personal  communication,  March 

2014) 

The  OPACITY  pilot  at  DMDC  was  considered  a  success.  All  stakeholders 
involved  (DMDC,  HID  Global,  and  Good  Technologies)  worked  together  on  the 
objectives  and  outcomes  and  demonstrated  effective  team  participation.  All  testers 
indicated  that  the  contactless  connection  when  working  properly  is  the  most  convenient 
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and  cost  effective  way  to  authentieate  to  a  mobile  deviee.  Testers  provided  valuable 
feedbaek  on  the  testing  experienee  that  ean  be  used  to  improve  the  proeess  in  the  future. 
A  timing  delay  was  diseovered  in  a  speeific  eard  model  and  the  vendor  was  made  aware 
of  it  in  order  to  make  necessary  ehanges.  A  bug  in  manufactured  NFC  readers  was  also 
discovered  and  that  information  was  made  available  to  the  vendor  for  correetion.  Specifie 
points  gained  from  testing  ineluded: 

•  Smart  card  RF  Signal  strength  needs  improvement  and  different  eard 
vendors  should  standardize  for  eonsistent  RF  strength 

•  NFC  reader  signal  strength  on  mobile  phones  needs  improvement  as  well 
as  a  standardized  position  for  the  NFC  eonnection;  addition  of  smart  eard 
testing  at  manufaeturer  level  needs  to  occur 

•  Smart  card  response  time  and  performanee  must  be  improved,  ideally 
between  300-500  ms  per  transaetion 

•  Smart  eard  vendors  should  work  on  non-proprietary  solutions  that  mesh 
with  standards  being  developed;  gov’t  should  identify  their  needs  and 
work  with  vendors  to  ineorporate  those  needs  when  possible 
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IV.  CARD  TESTING  AND  ALGORITHM  PERFORMANCE 

COMPARISON 


This  portion  of  the  paper  focuses  on  the  testing  of  smart  cards  to  compare  the  key 
generation  time  for  different  algorithms.  The  key  generation  time  is  important  in  terms  of 
the  OPACITY  test  pilot  because  the  NFC  connection  over  a  mobile  phone  must  be  fast 
enough  to  enable  Department  of  Defense  employees  to  sign  and  encrypt  emails  in  a 
reasonable  amount  of  time,  ideally  3/10-5/10  of  a  second  per  transaction.  Three  different 
types  of  cards  by  manufacturer  were  used  which  will  be  identified  by  Card  1,  Card  2,  and 
Card  3.  Four  different  types  of  algorithms  were  used:  SHA,  AES,  RSA,  and  ECC.  Some 
of  the  tests  focused  on  key  generation,  key  computation,  and  key  agreement.  In  addition, 
different  key  lengths  for  each  algorithm  were  also  used  to  track  the  operation  time  for 
each  length.  Lastly,  each  algorithm  was  tested  for  three  different  numbers  of  iterations  in 
order  to  determine  whether  the  number  of  iterations  increased  the  time  taken  to  complete 
the  specific  transaction. 

Three  specific  operations  were  tested:  compute,  key  generation,  and  key 
agreement.  Compute  simply  means  performing  the  standard  algorithm  identified  in  each 
test.  Key  generation  is  the  process  of  creating  a  public  and  private  key  pair.  The 
encryption  key  is  public  and  the  decryption  key  is  private.  The  key  agreement  test 
consists  of  the  basic  Hellman-Diffie  test:  two  users  can  exchange  keys  with  one  another 
by  establishing  a  shared  secret  key.  The  compute  test  was  performed  on  the  Secure  Hash 
Algorithm  (SHA)  and  Advanced  Encryption  Standard  (AES)  algorithms.  The  key 
generation  test  was  performed  on  the  RSA  and  ECC  algorithms.  The  key  agreement  test 
was  only  performed  on  the  ECC  algorithm. 

This  particular  set  of  tests  was  run  on  a  contactless  interface  (having  the  smart 
card  connect  with  the  smart  card  reader  wirelessly  using  the  RF  signal).  All  of  the  testing 
was  done  using  a  T=1  protocol  which  means  that  each  APDU  transaction  has  the 
capability  to  send  a  command  and  receive  data  within  one  transaction.  The  time  involved 
in  setting  up  the  command  with  just  the  algorithms  was  isolated  in  order  to  subtract  it  out 
from  the  timing  of  the  actual  operations  being  performed  on  each  algorithm.  Results  were 
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returned  in  seconds,  milliseconds,  and  microseconds.  All  results  were  converted  to 
microseconds  since  it  was  the  smallest  common  imit  of  retiun.  The  types  of  operations, 
algorithms,  and  bit  lengths  tested  are  identified  in  Table  1. 


OPERATION 

ALGORITHM 

BIT  LENGTH 

Compirte 

SHA 

1 

256 

384 

AES 

128 

192 

256 

Generate 

RSA 

1024 

2048 

ECC 

224 

256 

384 

Key  Agr  eement 

224 

256 

384 

Table  1 .  Operation,  algorithm,  and  bit  length  testing 


Demonstrating  the  value  of  testing  was  a  challenge  for  several  reasons.  Different 
capabilities  existed  on  the  three  different  types  of  cards.  Comparisons  between  all  cards 
could  not  be  done  since  different  operations,  algorithms,  and  bit  lengths  were  available 
only  on  certain  cards.  First,  not  all  cards  could  support  the  same  algorithms.  For  instance. 
Card  2  did  not  contain  the  RSA  algoritlim  or  the  SHA  and  ECC  bit  length  384  algorithms 
so  the  results  were  empty  for  that  set  of  tests.  Another  example:  Card  1  came  back  with 
‘UNKNOWN’  results  for  the  ECC  Key  Agreement  operation  which  indicates  that  the  test 
failed  but  left  no  conchrsion  as  to  what  might  have  gone  wrong.  The  cards  were  tested  at 
300,  1000,  and  5000  iterations  and  the  resirlts  were  all  similar  in  scope  between  the  three 
different  iterations,  hr  general,  the  operation  timing  decreased  as  the  number  of  iterations 
increased  because  the  cormnarrd  generation  time  (sirbtracted  fiom  the  operation  timing) 
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had  less  of  an  effect  on  a  higher  number  of  iterations.  Figure  9  shows  (in  cards  1,  2,  and 
3)  that  the  operation  length  decreased  with  each  set  of  iterations. 
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Figure  9.  Timing  decreases  as  number  of  iterations  increases 


A.  PERFORMANCE  COMPARISON  OF  THREE  CARD  TYPES 

Each  following  section  will  focus  on  a  specific  algorithm  tested  at  different  bit 
lengths.  Not  all  bit  lengths  are  supported  by  all  card  algorithms.  Charts  will  show  visual 
representation  of  the  results  of  each  test  set. 

1,  AES  Algorithm 

Figure  10  shows  the  comparison  between  the  three  different  card  types  for  the 
computation  of  the  AES  algorithm  tested  at  bit  lengths  of  128,  192,  and  256.  Card  2  took 
significantly  more  time  than  Cards  1  and  3.  This  type  of  testing  is  especially  beneficial 
for  organizations  such  as  DMDC  in  order  to  determine  which  card  type  will  best  fulfill 
requirements  of  specific  initiatives. 
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Figure  10.  Comparison  of  3  card  types  with  AES  compute  algorithm 


2,  SHA  Algorithm 

Figure  1 1  shows  the  same  type  of  card  comparison  but  compares  the  computation 
of  the  SHA  algorithm  instead.  For  the  Block  1  and  256  bit  lengths,  Card  2  takes  longer  to 
compute  the  same  algorithm.  Card  2  does  not  support  the  384  bit  length  test  so  no  results 
were  returned  for  that  test. 
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Figure  1 1 .  Comparison  of  3  card  types  with  SHA  compute  algorithm 


3,  ECC  Algorithm 

Figure  12  is  a  comparison  of  the  key  generation  process  on  three  different  types  of 
cards  using  ECC.  The  bit  length  of  384  is  not  supported  on  Card  2  so  that  test  result  is 
missing  but  card  2  has  the  slowest  performance  on  all  other  supported  bit  lengths.  Card  1 
has  the  fastest  performance  for  all  tested  bit  lengths. 
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Figure  12.  Comparison  of  key  generation  of  3  eard  types  with  ECC  eompute 

algorithm 


Figure  13  is  a  eomparison  of  the  key  agreement  proeess  on  three  different  types  of 
eards  using  ECC.  Card  1  did  not  support  this  algorithm  at  all,  and  Card  2  only  supported 
the  algorithm  for  224  and  256  bit  lengths.  Card  3  was  the  only  eard  that  supported  this 
algorithm  at  the  384  bit  length,  so  if  this  level  of  seeurity  was  needed  for  a  speeifie 
proeess,  then  this  type  of  eard  would  be  the  only  available  eard  to  work  with. 
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Figure  13.  Comparison  of  key  agreement.  3  card  types  with  ECC  compute 

algorithm 

4,  ECC  and  RSA  Algorithm  Performance  Comparison 

Figure  14  contains  the  most  important  results  in  terms  of  the  pilot  project 
identified  in  this  paper.  It  compares  the  speed  of  key  generation  using  the  RSA  algorithm 
against  the  speed  of  key  generation  using  the  ECC  algorithm  at  equivalent  bit  lengths. 
According  to  data  generated  by  NIST,  the  performance  cost  of  using  the  RSA  algorithm 
is  six  times  higher  than  that  of  using  the  ECC  algorithm  at  the  same  bit  length.  This 
means  that  in  order  to  provide  the  same  level  of  security  as  the  ECC  algorithm,  the  RSA 
algorithm  would  take  six  times  as  long  to  generate  keys.  This  was  corroborated  by  the 
test  performed  on  available  cards  for  this  research.  Cards  1  and  2  did  not  support  testing 
the  RSA  algorithm  for  key  generation  at  2048  bytes.  The  only  key  generation  comparison 
that  could  be  made  at  an  equivalent  bit  length  between  RSA  and  ECC  with  provided  card 
materials  was  using  Card  3.  It  took  the  RSA  algorithm  approximately  46  times  longer  to 
generate  the  key  than  it  did  the  ECC  algorithm. 
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Figure  14.  Comparison  of  RSA  to  ECC  compute  algorithm 
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V.  RISK  AND  MITIGATION  ANALYSIS  FOR  MOVE  FROM  RSA 

TO  ECC  ALGORITHM 


According  to  the  DOD  Mobile  Deviee  Strategy,  “sueeessful  execution...”  of  an 
implementation  plan  “relies  on  the  eollaboration  and  eooperation  of  all  DOD  eomponents 
and  on  partnerships  with  federal,  intelligenee,  aeademia,  and  eommereial  eommunities,” 
but  that  it  is  neeessary  to  keep  the  DOD  workforee  “relevant  in  an  era  when  information 
and  eyberspaee  play  a  eritieal  role  in  mission  sueeess”  (DOD,  2014).  A  primary  goal  of 
the  Mobile  Device  Strategy  is  to  “Institute  Mobile  Deviee  Polieies  and  Standards,”  whieh 
eneompasses  the  usage  of  eommereial  products  in  a  timely  manner  as  well  as  a  system 
that  ean  securely  manage  them  in  addition  to  edueation  for  mobile  deviee  users. 

DOD  must  establish  a  mobile  deviee  seeurity  arehiteeture  whieh  ineludes  the 
“Publie  Key  Infrastructure  security,  access,  and  identification  controls  at  the  network, 
deviee,  and  application  levels”  (DOD,  2014).  The  eryptographie  implementation  (ECC 
algorithm)  should  follow  the  reeommendations  of  NSA/NIST  in  all  categories.  In 
addition,  eonforming  to  standards  of  the  Common  Criteria  for  Information  Teehnology 
Seeurity  Evaluation  (CC),  an  international  standard  for  eomputer  seeurity  assuranees,  is 
advisable. 

The  implementation  must  be  enterprise-wide  but  must  also  support  executive  and 
taetieal  or  battlefield  mission  eritieal  agendas.  Unfortunately,  the  lengthy  eertifieation 
proeesses  required  for  most  United  States  government  makes  adoption  of  any  new 
teehnologies  a  slow  and  ehallenging  undertaking.  The  following  standards  need  to  be 
taken  into  eonsideration  when  implementing  ehanges  to  any  government  issued  eard 
proeess:  Eederal  Information  Proeessing  Standard  (PIPS  201,  PIPS  140),  NIST 
Recommendation  (i.e.,  NIST  SP800-63-I,  SP  800-157).  Government  IT  departments 
will  have  to  configure  and  manage  the  new  technology  in  terms  of  mobile  authentication. 
This  will  require  extensive  user  training  and  must  eonform  to  the  existing  smart  eard 
regulations. 

Coordination  with  third-party  vendors  is  a  eritieal  factor.  Card  vendors  must  not 

ereate  proprietary  solutions  but  must  instead  focus  on  conforming  to  U.S.  government 
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and  ANSI  standards.  Card  manufacturers  must  be  able  to  provide  these  in  the  quantity 
desired.  Once  the  new  algorithm  has  been  integrated  into  the  smart  cards,  the  smart  cards 
will  be  implemented  into  the  current  processes  for  dispensing  cards  to  users.  In  addition, 
the  administration  will  have  to  determine  whether  or  not  users  ean  Bring  Your  Own 
Device  (BYOB)  or  use  only  Government  Funded  Equipment  (GEE).  Eimiting  devices  to 
GEE  allows  the  agency  to  more  closely  manage  the  device  and  application  usage  than 
they  would  be  able  to  for  bring  your  own  deviee  (BYOD)  [Mobile  Pilot  Solution  Case 
Studies  Version  1.0],  personal  eommunication,  April,  2014].  Either  way,  training  will 
need  to  be  provided  in  order  to  use  mobile  device  certificate  signing  and  encryption.  This 
training  should  be  done  in  a  general  applieation  or  demonstration. 

The  protection  of  privacy  is  a  huge  initiative  within  the  DOD.  The  CAC  contains 
a  variety  of  Personally  Identifiable  Information  (PII)  which  must  be  protected  from 
unauthorized  access  (Preliminary  Confidentiality  Impaet  Eevel  Analysis-version  0  6, 
personal  communication,  April  2014).  Therefore,  consideration  of  the  protection  of  this 
information  has  to  be  paramount  in  the  implementation  of  aecessing  CACs  through  a 
mobile  device.  The  DOD  has  applied  the  assessment  model  described  in  NIST  SP  800- 
122  to  determine  a  Preliminary  Confidentiality  Impact  Eevel  Assessment  of  the  PII  and 
linked  and  linkable  data  contained  in  the  ehip  on  the  PIV  card  in  the  eontext  of  a 
Contaetless  Secure  Messaging  solution.  This  includes  information  in  the  x.509  certifieate, 
the  Card  Holder  Unique  Identifier,  and  possibly  biometries  data  and  personal  data.  The 
biometrics  data  is  especially  considered  high  importanee  sinee  it  is  not  easily  aeeessed 
elsewhere.  This  makes  the  features  available  on  the  eards  extremely  critieal — the  eard 
manufacturers  must  take  responsibility  to  remove  any  and  all  unused  features  on  the  card 
in  order  to  avoid  possible  pathways  to  manipulate  and  extract  card  content.  In  addition, 
users  should  be  required  to  have  CAC  cards  contained  within  radio  frequency  shields  so 
that  contactless  interference  cannot  occur. 

One  concern  that  was  addressed  is  the  possibility  of  “sniffing”  vulnerabilities 
through  the  contactless  interface,  since  eontaetless  transaetions  have  not  been  used  before 
but  would  be  required  in  the  mobile  scenario.  The  information  available  for  sniffing  on 
the  eard,  which  includes  attributes  such  as  different  name  types  and  email  addresses  are 
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easily  obtained  through  other  means  than  the  CAC  card,  so  are  not  deemed  a  significant 
privacy  risk.  A  secure  messaging  (SM)  channel  that  implements  digital  signatures, 
enforcing  integrity  of  information,  is  used  to  access  the  objects  on  the  contactless 
interface.  SM  requires  that  the  card  be  within  a  specific  distance  from  the  reader  in  order 
to  power  the  card.  Electromagnetic  opaque  sleeves  can  also  be  used  to  mitigate  the  risk, 
and  the  combination  of  these  three  factors  actually  entails  less  risk  than  the  contact  reader 
interface,  since  contactless  transaction  times  are  much  shorter  than  those  of  a  card  sitting 
within  the  reader  for  an  unspecified  amount  of  time.  In  addition,  a  pairing  code  is  being 
proposed  that  would  require  a  six  digit  pin  be  entered  prior  to  any  certificates  being 
accessed  on  the  card.  The  pairing  code  would  ‘pair’  a  reader  and  a  card  together  which 
would  prevent  any  other  rogue  devices  from  ‘skimming’  information  off  of  the  card.  If  a 
pairing  code  is  added  to  the  process  then  DOD  will  incur  significant  additional  costs  and 
development  time  to  add  this  feature.  These  recommendations  must  be  evaluated  prior  to 
final  implementation  of  CAC  mobile  access. 

Separate  mobile  pilots  were  also  executed  by  the  Defense  Information  Systems 
Agency  (DISA),  the  U.S.  Marine  Corps  (USMC),  and  the  U.S.  Department  of  Agriculture 
(USDA).  A  gap  analysis  was  done  as  an  overview  for  mobile  technology  and  technical, 
policy,  and  marketplace  gaps  were  identified.  Technical  gaps  included  the  control  of 
personal  information  on  mobile  devices  (especially  in  terms  of  legal  liability),  the  lack  of 
standardization  for  PIV  technologies  (especially  in  terms  of  security),  and  the  lack  of 
available  Certificate  Authorities  (CA)  to  handle  the  software  certificates  needed  to  access 
mobile  devices.  Policy  gaps  included  policy  questions  regarding  two-factor 
authentication  requirements  by  the  Office  of  Management  and  Budget  (0MB),  questions 
of  whether  the  PIV  certificates  meet  requirements  for  Level  of  Assurance  (LOA)  4 
authentication,  and  whether  or  not  certificate  solutions  align  with  the  upcoming  NIST  SP 
800-157.  Marketplace  gaps  included  the  lack  of  mobile  device  and  application 
management  solutions  (especially  for  Bring  Your  Own  Device  (BYOD)  programs),  lack 
of  federally  approved  secure  mobile  device  solutions,  lack  of  applications  that  support  the 
use  of  PIV  credentials,  and  lack  of  vetting  solutions  for  new  and  updated  application 
vetting.  Recommendations  were  made  to  mitigate  the  technical,  policy,  and  marketplace 
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gaps  but  these  would  require  a  concerted  effort  between  government  agencies,  mobile 
device  manufacturers,  hardware  component  developers,  service  providers,  and  third-party 
vendors. 

DISA  has  been  incorporating  mobility  planning  in  its  strategic  plans  for  a  few 
years  as  part  of  its  DOD  Mobility  Implementation  Plan.  As  of  January  31,  2014,  DISA 
deployed  version  1.0  of  the  unclassified  mobility  plan,  which  supports  1800  mobility 
devices  (i.e.,  iPad,  tablets)  as  well  as  80000  BlackBerry  phones.  The  mobility  plan  itself 
will  be  deployed  in  three  phases  over  2014,  with  the  first  phase  focusing  on  policy,  the 
second  phase  focusing  on  security  and  service,  and  the  third  phase  focusing  on  operations 
and  management.  There  are  16  approved  mobile  applications  with  90  more  being  vetted 
for  use.  All  of  the  current  tasks  being  performed  are  unclassified,  but  DISA  will  continue 
to  work  towards  a  secure  mobile  solution  to  enable  DOD  workers  to  perform  their  jobs. 
Users  are  being  transitioned  in  according  to  the  priorities  set  by  the  commands.  DISA 
also  created  a  Mobility  website  to  track  and  promote  all  of  its  mobility  documentation 
and  policies,  which  include  four  primary  goals  listed  in  Figure  15. 


Goall 

Advance  and  Evofve  the  DoO  Infornwtion  Enterprise 
Infrastructure  to  support  Mobile  Devices 

k _ - 

Goal  2 

- ^ 

Institute  Mobile  Device  Policies  and  Standards 

Promote  the  development  jnd  Use  of  DoO  Mobile 
end  Wel^Enabled  Applications 


Goal  4 

Develop  an  enterprise  MobiiltY  service  for  OassTfied  1 
and  Unr  las&ifled  capabilities  1 

L _ _ 

Figure  15.  Mobility  goals,  DISA  (DISA;  DOD  MOBILITY  PROGRAM,  2012.) 


The  DOD  Mobility  Implementation  Plan  pinpoints  potential  issues  in  regard  to 

governance,  cost  management,  and  mobile  device  management.  Metrics  will  be  taken  on 

mobile  device  statistics  and  audits  will  be  performed  to  ensure  the  best  solutions  are 
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being  taken.  Requirements  will  be  developed  for  policies  including  application 
development,  accreditation,  and  certification.  A  DOD  Mobility  Program  Management 
Office  (PMO)  is  being  established  to  handle  ah  mobility  related  tasking.  The  General 
Services  Administration  (GSA)  will  be  working  on  a  mobile  contract  that  encompasses 
the  entire  government’s  mobility  needs.  This  will  include  the  infrastructure,  devices, 
applications,  information  assurance  and  any  necessary  user  training.  The  BYOD  option  is 
not  approved  at  this  time  but  will  continue  to  be  evaluated  for  future  use.  Classified 
access  will  be  authorized  over  encrypted  websites  only  but  not  through  contactless  CAC 
interaction  with  a  mobile  device  itself 
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